Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by zeroaccess (sirefef, conedex)


  • This topic is locked This topic is locked
16 replies to this topic

#1 Tramborggini

Tramborggini

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 11 March 2012 - 09:16 AM

Hi!
I don't know how i got infected, but a week ago when i was online my antivirus(microsoft security essentials) started giving me warnings about some infections. I didn't get to excited and i told MSE to delete it, but soon it came back..and more of them came. MSE showed sirefef.p , sirefef.aa , sirefef.j , sirefef.n , sirefef.e , sirefef.i , conedex.a , conedex.b , conedex.c. I kept deleting them but they kept coming back, so i made a quick search online about those trojans and found out that it would be clever to change passwords and i did it, but not by this infected computer. I also found some text telling about ComboFix and solving this and similar cases, so i downloaded the program to another computer and printed the guide for ComboFix. I installed the program on my infected computer from a flash drive and cleaned it following the instructions from the guide.
MSE showed no more threats, but ComboFix guide says that i should send the log file to some of the offered forums, and this forum was first on the list.

I read your preparation guide and i did all the preparation, so i'll put all the necessary logs with the combofix log(if needed).
Thanks for your help..


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Brc at 13:26:40 on 2012-03-11
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.385.1033.18.2046.1303 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_Plugin.exe -update plugin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8032B404-D4F0-4574-B4D5-2313D2B163E1} : DhcpNameServer = 192.168.1.1
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\brc\appdata\roaming\mozilla\firefox\profiles\1l3ab98t.default\
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
.
============= SERVICES / DRIVERS ===============
.
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\common files\abbyy\finereader\9.00\licensing\pe\NetworkLicenseServer.exe [2007-12-6 660768]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-1-23 15872]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-1-23 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-1-18 1343400]
.
=============== Created Last 30 ================
.
2012-03-11 11:57:32 6552120 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a47457d4-a012-4121-855f-51cc9793340b}\mpengine.dll
2012-03-07 19:39:00 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-07 19:34:21 -------- d-----w- c:\users\brc\appdata\local\temp
2012-03-07 19:18:02 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2012-03-07 19:14:47 98816 ----a-w- c:\windows\sed.exe
2012-03-07 19:14:47 518144 ----a-w- c:\windows\SWREG.exe
2012-03-07 19:14:47 256000 ----a-w- c:\windows\PEV.exe
2012-03-07 19:14:47 208896 ----a-w- c:\windows\MBR.exe
2012-03-03 17:51:09 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-03-03 17:46:43 -------- d-sh--w- c:\users\brc\appdata\local\a905bbe7
2012-02-17 13:57:19 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-17 13:57:14 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-17 13:57:13 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-17 13:56:21 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-14 17:54:19 -------- d-----w- c:\users\brc\appdata\local\Microsoft Games
2012-02-12 12:01:53 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a0a28ec9-4922-43b2-a77c-b29408209032}\gapaengine.dll
2012-02-12 12:01:53 703824 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
.
==================== Find3M ====================
.
2012-03-03 21:03:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-03 17:47:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-23 14:04:04 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-01-19 12:36:01 249856 ------w- c:\windows\Setup1.exe
2012-01-19 12:35:56 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-01-18 19:00:39 0 ----a-w- c:\windows\ativpsrm.bin
.
============= FINISH: 13:27:13,73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:08 PM

Posted 13 March 2012 - 08:54 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Tramborggini

Tramborggini
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 15 March 2012 - 06:59 AM

I apologize for not answering till now, but I don't have a permanent internet access or access to infected computer, so when I get back home in a few days I'll do as you said in the post.. I'm just letting you know so that my post won't be deleted

Thanks for your help!

#4 Tramborggini

Tramborggini
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 18 March 2012 - 11:09 AM

Hi..
I have my infected computer and internet access so we can proceed.

When I first got the warning about the infection, I wasn't able to delete any of that infections from my computer until I used ComboFix. After that my antivirus hasn't been showing any warnings and I haven't been experiencing any other problems. However I still wanted to make sure that my computer is secured..

Here are the OTL logs:

Attached Files



#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:08 PM

Posted 20 March 2012 - 03:57 AM

Hi,

there are some oddities in your log, but it looks as if the infection may be disabled.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Windows\System32\wlancfg.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Please run OTL again and use the following settings:
  • Check Scan All Users.
  • For Processes choose none.
  • For Modules choose none.
  • For Services choose none.
  • For Drivers choose none.
  • For Standard Registry choose none.
  • For Extra Registry choose none.
  • For Files Created Within choose none.
  • For Files Modified Within choose none.
  • Under Custom Scans/Fixes paste:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlancfg /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PID_PEPI /s
    HKEY_LOCAL_MACHINE|wlancfg /rs
    /md5start
    wlancfg.dll
    /md5stop
    
    
  • Finally hit Run Scan and wait for the log to open.
  • Please post the content of the log into your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 Tramborggini

Tramborggini
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 24 March 2012 - 03:18 PM

Filename: wlancfg.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Sat 24 Mar 2012 20:58:36 (CET) Permalink

Additional info
File size: 177152 bytes
Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
MD5: 79dddde43595f9d2b65e37c8b3316955
SHA1: d7dfa232f2fceda39c9e4d6b2b83c8440083c18f




Scanners
[ArcaVir]
2012-03-24 Found nothing
[Frisk F-Prot Antivirus]
2012-03-23 Found nothing
[Avast! antivirus]
2012-03-24 Found nothing
[F-Secure Anti-Virus]
2012-03-24 Found nothing
[Grisoft AVG Anti-Virus]
2012-03-24 Found nothing
[G DATA]
2012-03-24 Found nothing
[Avira AntiVir]
2012-03-23 Found nothing
[Ikarus]
2012-03-24 Found nothing
[Softwin BitDefender]
2012-03-24 Found nothing
[Kaspersky Anti-Virus]
2012-03-24 Found nothing
[ClamAV]
2012-03-24 Found nothing
[Panda Antivirus]
2012-03-24 Found nothing
[CPsecure]
2012-03-24 Found nothing
[Quick Heal]
2012-03-24 Found nothing
[Dr.Web]
2012-03-24 Found nothing
[Sophos]
2012-03-24 Found nothing
[Emsisoft Anti-Malware]
2012-03-24 Found nothing
[VirusBlokAda VBA32]
2012-03-23 Found nothing
[ESET]
2012-03-24 Found nothing
[VirusBuster]
2012-03-24 Found nothing

Attached Files



#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:08 PM

Posted 25 March 2012 - 06:04 AM

Hi,
that is looking good!

Please run a scan with Eset to check for leftovers:
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 Tramborggini

Tramborggini
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 01 April 2012 - 05:36 AM

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=477646e6229d0940b21e1ed71319f61f
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-01 10:12:14
# local_time=2012-04-01 12:12:14 (+0100, Central European Daylight Time)
# country="Croatia"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 5947681 84903373 0 0
# compatibility_mode=8192 67108863 100 0 198 198 0 0
# scanned=101200
# found=10
# cleaned=0
# scan_time=2952
C:\Qoobox\Quarantine\C\Users\Brc\AppData\Local\a905bbe7\U\80000000.@.vir probably a variant of Win32/Sirefef.DV trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.EF trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\system32\pcx1unic.dll.vir probably a variant of Win32/Sirefef.ER trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\system32\tap0901.dll.vir probably a variant of Win32/Sirefef.ER trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\dfsc.sys.vir Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\dfsc.sys.vir_ Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
D:\Program Files\Instalacije\cdburnxp_setup_4.3.8.2474.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
D:\Program Files\Instalacije\Angry Birds\Patch.exe a variant of Win32/HackTool.Patcher.U application (unable to clean) 00000000000000000000000000000000 I
D:\Program Files\Instalacije\nero63115\Keygen.exe a variant of Win32/Keygen.CY application (unable to clean) 00000000000000000000000000000000 I

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:08 PM

Posted 01 April 2012 - 11:56 AM

Hi,

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 Tramborggini

Tramborggini
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 01 April 2012 - 12:53 PM

You don't have permission to open this file.
Contact the file owner or an administrator to obtain permission.

this is the message i get when i try to upload the file...and my antivirus MSE reports a new threat
i am the only user..logged on as administrator

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:08 PM

Posted 01 April 2012 - 01:00 PM

Hi,

is MSSE reporting the threat in the file we're trying to upload? Sounds as if MSSE might be blocking your access to the file.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Tramborggini

Tramborggini
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 01 April 2012 - 01:32 PM

in the meantime MSSE reported that it cleaned the infection and now C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys file no longer exists..when i try to browse it with jotti the folder is empty

regards...

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:08 PM

Posted 01 April 2012 - 01:56 PM

Hi,

well that is a good thing. I mostly wanted confirmation from virustotal that the file is not just detected by Eset but by others too (for example MSSE) and I would have asked you to delete that file, if it had come back as bad.

In this case MSSE detected the file as malicious and deleted it when you tried to upload it. All other files in the Eset scan are in ComboFix' quarantine and will be removed once we uninstall the utility. Before we do that however, I would like you to update your adob reader:
Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
  • Click on Help and select Check for Updates.
  • A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
  • Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
  • In the window that opens click Install.
  • Once the update is done click Close.
Your Adobe Reader is now up to date!

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Tramborggini

Tramborggini
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 01 April 2012 - 02:15 PM

ok, i downloaded and updated adobe reader x...
should i uninstall combofix now?

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:08 PM

Posted 01 April 2012 - 02:30 PM

Hi,

as a final step, yes, let's uninstall the programs we use:

Please do the following to clean up your PC:
  • Delete the tools used during the disinfection:
  • Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      Posted Image
    • Download OTC from the following mirror and save it to your desktop:
    • Double click on Posted Image
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  • If OTC faild to remove all programs from your Desktop, please delete the rest manually.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users